Is it possible to decompile a .cia into source code and then rebuild it again?

Discussion in '3DS - ROM Hacking, Translations and Utilities' started by lucoia, Apr 27, 2015.

  1. lucoia
    OP

    lucoia Advanced Member

    Newcomer
    95
    10
    Nov 29, 2008
    United States
    As stated in the title, I got a little homemade.cia and I would like to change just 2 parameters and recompile it in .cia, is that possible somehow?

    Googling around for a while didn't help.
     
    Margen67 likes this.
  2. Asia81

    Asia81 In my Ecchi World <3

    Member
    5,149
    2,567
    Nov 15, 2014
    France
    Albi
    homemade.cia ?
     
  3. Helmax

    Helmax GBAtemp Regular

    Member
    188
    276
    Feb 17, 2011
    United States
    You can decompile the CIA into the raw files, but not the source code that created .BIN files and such.
     
  4. Foxi4

    Foxi4 On the hunt...

    pip Reporter
    23,669
    21,706
    Sep 13, 2009
    Poland
    Gaming Grotto
    CIA is not an executable format, it's an archive used for installation.

    http://3dbrew.org/wiki/CIA

    If you want to modify the binary, you'll have to extract it from the archive.
     
  5. lucoia
    OP

    lucoia Advanced Member

    Newcomer
    95
    10
    Nov 29, 2008
    United States
    Ok so, I compiled ctrtool and tried to extract it from the .cia but it doesn't seems to work.

    That's the .cia info:

    I tried different method and flags but the only thing I was able to get using exefs is an empty rc.bin file.

    Is there a way to extract it?
     
  6. mid-kid

    mid-kid GBAtemp spamBOT

    Member
    879
    962
    Aug 2, 2012
    I've detailed the process of decryption/extraction two times already, and I won't do it again. I still have to make a real tutorial out of it, but I'm too lazy, so if someone else can do that, it's appreciated.
    If you want to rebuild the thing, and it's a "gameapp" CIA, I recommend following the process in the first link, and then unpacking/rebuilding the .3ds with any of the tutorials available on this site (mine, of course). Just stop the process of rebuilding when you have decrypted the romfs.bin, extract it with "ctrtool --romfsdir=romfs -t romfs romfs.bin", edit the files, and use 3dstool to rebuild the romfs (it's the only command-line tool I could find which does that. I wanted to include it in a script): "3dstool -c -f romfs.bin -t romfs --romfs-dir romfs". If it's the code.bin which you want to edit, you can find it in exefs.
     
  7. lucoia
    OP

    lucoia Advanced Member

    Newcomer
    95
    10
    Nov 29, 2008
    United States
    Thanks for the useful links, I tried to just ciatoccia with makerom as mentioned on your first link, but instead of the fail to decrypt CIA content I got this error:

    I don't even know what's the reason about that error which is so generic, google didn't help too, so I tried to get the keys for it with rxTools anyway, following your suggestions and this tutorial: https://gbatemp.net/threads/how-to-dump-and-backup-eshop-games-and-dlc.375586/

    I was able to print all my keys, but there are no keys for my homemade rc.cia listed.

    If I check it on the SD with Title Manager on the 3DS the .cia is seen both as .cia in SDMC both as installed in Program as Patch for Unique Id 0x011d7 which is confirmed in the CIA title ID: 0004000E0011D700

    I tryed FunkyCIA too and it was able to rebuild all the cia's and give me the raw's too, writing all the keys on different .txt (otherTitles, systemTitles.txt, updateTitles.txt etc. etc.) but even so there are not keys for the one I'm looking for.

    Is there anything else I can do?
     
  8. mid-kid

    mid-kid GBAtemp spamBOT

    Member
    879
    962
    Aug 2, 2012
    Before using ciatocci, you have to install the CIA, get the SD decryption keys (These are xorpads), decrypt the .app files (with padxorer), look what kind of files they are (application, manual or dlp), and rebuild the CIA with those files (It's all explained in the link). Now you have a decrypted CIA which can be converted to CCI no problem.

    Even if you're not going to rebuild it into a CCI (You can skip that part, but given most tools out there are made to convert .3ds to .cia *cough*rsfgen.py*cough*, I find it more easy), you're going to need to decrypt those .app files. Those files can also be gotten by: "ctrtool --meta=.app file.cia", but you will need to install the CIA anyway to get the xorpads.
     
    Margen67 likes this.
  9. lucoia
    OP

    lucoia Advanced Member

    Newcomer
    95
    10
    Nov 29, 2008
    United States
    I did it and I got the 2 decrypted app files, ctrtool says 04 is the application, 05 is the manual, but when I try to remake the .cia I got this error:


    EDIT: In fact if I check decrypted_00000004.app ctrtool says "Error, program id mismatch. Wrong key?" at the end.
     
  10. mid-kid

    mid-kid GBAtemp spamBOT

    Member
    879
    962
    Aug 2, 2012
    Those "Wrong key?" messages you can mostly ignore. I've mostly had exheader hash mismatch, but I don't think this is much different.
    Huh, that's weird.
    What kind of .cia are you even trying to extract? If it's not a "gameapp" cia, I don't think the -ciatocci option will even work.
    In any case, make sure it's really the correct file, and you've decrypted it with the correct xorpad. If you're sure, I'd carry on unpacking the "application" .app, by treating it as if it's a .3ds file, and the manual.app as if it's the manual.cfa (no need to use rom_tool to extract it, since it's not inside the app.app). Rsfgen will put weird values in the UniqueId, CompanyCode, and ProductCode fields. Fix that yourself.
    If it's not a "gameapp" cia, i'd really recommend using exinjector after the fact.
     
  11. lucoia
    OP

    lucoia Advanced Member

    Newcomer
    95
    10
    Nov 29, 2008
    United States
    The .cia is a rom hack made with own code and part of modified original game code in 1.0 exefs and packed as .cia which install itself as a game patch with same title id.

    ctrtool sees it as:

    Since the author dismissed the project long ago and source code is not available I wanted to tweak a couple of things by myself to make it better.

    The two .app files are decrypted correctly, I can see some plain text like product code in offset 0x150 on both files for example, but still they are decrypted but not decompiled, and I tried to unpack the content in various ways with different tools but I always get corrupted errors somehow.

    3DSExplorer can see the correct file structure if treated as .3ds but can't extract the .cxi executables from the NCCH containers.

    Isn't there just a way to decompile directly the .app back to plain text source so I can modify and then rebuild from there?
     
  12. ShadowOne333

    ShadowOne333 GBAtemp Guru

    Member
    7,369
    4,794
    Jan 17, 2013
    Mexico
    Can we extract all the files/data from a DSiWare CIA to somehow make a functional CIA in sysNAND for it?
     
  13. mid-kid

    mid-kid GBAtemp spamBOT

    Member
    879
    962
    Aug 2, 2012
    The .app contains 3 different partitions: romfs, exefs and exheader. You are looking for unpacking romfs, and possibly the code.bin in exefs. To do this, do what I said, treat is as a .3ds file and follow any of the tutorials on this site. That means the following process:
    - Generate xorpads for the partitions
    - Extract/Decrypt the partitions
    - Extract the romfs ("ctrtool --romfsdir=romfs romfs.bin")

    It's all detailed in the links I've sent earlier, and over the whole forum.
     
  14. lucoia
    OP

    lucoia Advanced Member

    Newcomer
    95
    10
    Nov 29, 2008
    United States
    I treated it as .3ds and did it all over again, generated ncchinfo.bin, generated xorpads, but I only got 2 files:

    0004000E0011D700.Main.exheader.xorpad
    0004000E0011D700.Main.exefs_norm.xorpad

    There's not a 0004000E0011D700.Main.romfs.xorpad

    I was following this tutorial: https://gbatemp.net/threads/how-to-unpack-repack-3ds-roms.380726/ and even the included batch is expecting a *main.romfs.xorpad, so I edited it and I was only able to get decrypted exefs.bin and exheader.bin, romfs.bin is obviously empty.

    Dinner time in here, I'll look into that with more attention later or tomorrow.
     
  15. lucoia
    OP

    lucoia Advanced Member

    Newcomer
    95
    10
    Nov 29, 2008
    United States
    Looks like it's a ctrKeyGen problem.

    If I use the new ctrKeyGen.py Python 2.7 it creates a ncchinfo.bin with only 2 entries for me:

    *Main.exheader.xorpad
    *Main.exefs_norm.xorpad

    If I use the old ctrKeyGen.exe it creates a ncchinfo.bin twice larger and with more entries, including romfs.

    But if I try to generate xorpads with newer launchers.dat or rxTools I'm getting "Too many/few entries, or wrong version ncchinfo.bin"

    If I use older launcher.dat o3ds freezes.
     
  16. mid-kid

    mid-kid GBAtemp spamBOT

    Member
    879
    962
    Aug 2, 2012
    There's different formats of ncchinfo.bin, each tool that generates the xorpads has their own tool to generate the ncchinfo.bin (ctrKeyGen.py), so just keep to that. There are three options: SD-devryptor-void, Decrypt9 and rxTools. I'd say try them all.